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Qualys Web Application Firewall 
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Apps & APIs are 


Everywhere 


Public-Facing 
Web Apps 


Internal Web Apps 


BUB 
Wwsamazon © 
ES webservices 


Google Cloud Platform 


Microsoft 
Azure 


Apps in Public Clouds 


[e] 


REST APIs 


New Apps 
under Development 
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Insecure Apps & 
APIs area 
Problem 


Business depends on web applications 


Any of them can be a foothold into your 
organization 


Developers are not incentivized for 
security 


Cloud-based apps are easy for developers 
to deploy 


Web Applications are 
Being Targeted 


> Most common data breach pattern * 
> Top hacking vector * 

U.S. Postal Service (API) 

Facebook (API) 


Google+ (API) 
MyFitnessPal (API?) 2017 


* Source: 2018 Verizon DBIR 


Devops challenges 
how security is 
done 


+ 


Security should start in dev 


Security should be a continuous effort 


+ 


Security is a global concern 


CI/CD Tools are powerful 


New challenges: 


What is in production ? 


What server is this app on ? 


CI/CD pipe’s privileges ? 


Inefficient/late security 


Slowed-down delivery 


Web Application Security Built-in 


„Not bolted on 


Traditional AppSec Operations 


business dev integration assessment and mitigation remediation production 
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The way of the DevSecOps 


Merges, Pulls, Builds... 


Control E (e) ent 
Commit Deploy l 


Jenkins 


Developers (CI/CD tool) API 
Engine 
Scantrust 


Connector Qualys Firewall 
Appliance 


WAS API 
© Engine Engine 
——— 


Infosec/SOC 


Qualys Scanner 
Appliance 
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WAS / WAF Integration: ScanTrus 


Scan Trust : Challenge your WAF protection 
Assess both the application and the policy that protects it 


_ ^ 
= Detection Management Detection List Burp 
Search Results Gus 1-6of6 29v 
-demo.qualys.com X T Status QID Name Group ^ LastDetected Age Patch Severity 
4 Filter Results Clear All Protected 150012 © Blind SQL Injection EEEE] 
http-//waf-demo.qualys.co login jsp 
Confirmed Vulnerability Level 
Protected ) (9 Blind SQL Injection NENNEN 
10203 O4 E15 http://wat-demo.qualys.com/bodgeit/login jsp 
Potential Vulnerability Level Protected 1001 (9 Reflected Cross-Site Scripting (XSS) Vulnerabilities E ETT] 
http://waf-demo.qualys.com/bodgeit/search jsp 
10203 04 E15 
Protected ) © Browser-Specific Cross-Site Scripting Vulnerabilities BEEEN 
Sensitive Content Level sebo 
10203 O4 O5 XSS O E 
Information Gathered Level aa E 
150001 (9 Refiected Cross-Site Scripting (XSS) Vulnerabilities DA Quick Actions | 716 EBENEN 
1 02 [13 04 05 http://wat-demo.qualys.com/search jsp View 
Status Ignore 
New 
Active Install Patch 
Re-Opened 
Protected Edit Severity 
Fixed 
Group External References 
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WAS / WAF Integration: Virtual 
Patch 


Virtual Patch : One-click mitigation tool for CISO teams 
Run from within WAS to address confirmed threats 


[3 You are about to install a virtual patch 


We'll automatically add a virtual patch rule to your WAF to block exploitation of the selected vulnerability on your web application. You can 
easily remove the virtual patch (and rule) at any time either here or from the WAF management interface. 


——- Status Patch Severity 
ES Patch Details View Detection anna 
New When  request.header.content-type MATCH "%.*\%.*\{.*multipart/form-data$" TT 


ER 1 (request path MATCH. ^[a-A-20-9 VV. Vo]... BERE 
2 [request header content ype) MATCH ^."V96. M. multipart... 
3 request header. Content-Type DETECT 150173 

New 4 “request query-string parameter p MATCH ^.*admin.*$ els 
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New 


New 


And Coming in 2019 
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API Security Remi Le Mer (quays_s158) 


Video Tutorials 


Get started with these quick steps 


Related Community Posts 


Tweets 


© 2 


Watch 9 short Reporting Strategies and Best 
Pract 
Qualys data 


Web Application Scanning 


Review 


Qualys WAS 


À leading dynamic application security 
testing (DAST) tool 


Delivered via the Qualys Cloud 
Platform 


Identifies app-layer vulnerabilities 
OWASP Top 1O 
CVIES 
Web-related CVEs 


Includes automated crawling 
Supports Selenium scripts 
Malware monitoring as a bonus 
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Web Application Scanning — » 


Dashboard Web Applications Scans Detections Reports Configuration KnowledgeBase 


[E] Web Application Managemen 


ae CXD — 


'4 Filter Results 11 10.102620 3 28-20 pacnadvungaguayscom — 


Status 


D New 
© Rogue 

E Approved 

E Ignored 

Gi fn Subscription. 


‘Operating System 


Creation Date 


Last Update Date 


LI IP Address 


E 10102620 23-26-20 patch ad vuin qa qualys com 

E 9102585 2KG645p1-25:090.2k364501 patch Ad vun qa.aualys com 
E 10.102621 2Gespi-2821 

E 10102521 Zidespt-262t 

E 193024112 2«GI2-5p1-320.vuln qa. quays.com 

E 10102412 2k8:2-sp1-32biLvuln.qa qualys com 


[E osos ER 
Ves 


E 10:02:12 


(suas com 
- | Open in Browser ua 
E 0102080 Fai Juin qa qualjs com 
E 10.10.25.85  MakAS.. | New [oa qualys.com 
Add Comment Rogue 
E 10102565 | Add To Subscription | Approved {9@.qualys.com 
[CAL —— Uno m 


^ Pot NetBIOS 
4080 2K3-26-20 


80 2K3-26-20 

à eur 
—— 
x Hs 
eer 
gem 
CRE, 
TRS 


413 — 2K3SP1-P.25-65 


£ 
Li 


Approve 


Preview 


htp:l/2k3r2-sp1-32bit.vuln.qa.qualys.com:8080 
IP address 10 1024 112, FODN. 2k3r2-spl-32bi vuin qa qualys com 


Updated by 1 23 Aug 2017 3.04PM GUT-0500 | [LES 
Operatna System: Windows Server 2003 R2 Service Pack 1 


‘Comment: System 23 Aug 2017 
Web Application added from scan consolidated cata from VM 
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Built for the Enterprise 


Web App Discovery 
Unlimited scans & 
users 
RBAC 

Tagging 


Scheduled scans 
Ad-hoc, targeted 
scans 
Multi-site scans 
Retest vulnerability 
Scan for malware 


Massive scalability 
Detection history 
Scheduled reports 
Customizable 
reports 
Swagger support 


Robust API 
CI/CD integration 
Unique integration 

w/Qualys WAF 
Integration with 
manual pen testing 
tools 
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What's New in Qualys WAS 


Scanning REST 
APIs 


o 


https:// 
swagger.io 


422 OPENAPI 


https:// 
Www.openapis.or 


Swagger is specification that 
describes a set of REST APIs 


Swagger file typically 
available from dev team 


Set Swagger file as target 
URE in GUVs WAS 


API endpoints are 
automatically tested for 
vulnerabilities 


Swagger v2 JSON format 
currently supported 


re) Qualys 


Jenkins Plugin for WAS 


Jenkins 


plica 


Snippet Generator 
Step Reference 

Global Variables Reference 
Online Documentation 


IntelliJ IDEA GDSL 


Pipelin: 


Syntax 


Overview 


This Snippet Generator will help you leam the Pipeline ich can be used t 
interested in from the list, configure it, click Generate Pipeline Script, and you will s 

step with that configuration. You may copy and p: le whole statement into your scrip 
tional and can be omitted in your script, leaving them at default values 


Sample Step 


qualysWASScan: Qualys WAS Plugin for Jenkins 


Qualys 


API Login 


Provide details for accessing the Qualys Container Security API. 


API Server URL: 


https://qualysapi.qualys.com 


Example: https:l/qualysapi 


API Username: 


API Password: 


O Use Proxy Settings 


quays aa12 


Connection test successful 


dmin | log out 


o define various steps. Pick a step you are 
a Pipeline Script statement that would call the 
or pick up just the options you care about 


Test Connection 


Manual Testing Complements WAS 


Dynamic application testing is one piece of the AppSec puzzle 
Manual penetration testing important for your business-critical 
apps 
Qualys WAS offers: 

Bugcrowd integration 

Burp Suite integration 

Partnerships with consulting shops 
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Bi-directional Integration with 
Bugcrowd 


bugcrowd © 


bu 
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Qualys WAS Burp Extension 


E » © 


Burp Suite Web Application Scanning 


A quick, intuitive way to send Burp-discovered issues into WAS 
Provides centralized viewing/reporting of WAS detections + Burp issues 


Available in Burp's BApp Store 
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Qualys WAS Burp extension 


£ 
Burp Project Intruder Repeater Window Help 


[Dashboard | Target | Proxy | intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Qualys WAS | Attack Surface Detector 


[Extensions | BappStore | APIs | Options | 


The BApp Store contains Burp extensions that have been written by users of Burp Suite, to extend Burp's capabilities. 


Name Installed | Rating Popularity | Lastupdated | Detail 


PETER AG (a) Qualys 


PeopleSoft Token Extractor 11 Jan 2018 

PHP Object Injection Check 01Jun2018 Pro extension The Qualys WAS Burp extension provides a way to easily push Burp scanner findings to the Web 

Postman Integration 18 Sep 2018 Application Scanning (WAS) module within the Qualys Cloud Platform. As a Qualys WAS customer, you 

Protobuf Decoder 20 Apr 2017 can then view and report Burp issues alongside WAS findings for a more complete picture of your web 

Proxy Action Rules 12 Jan 2018 application's security posture. 

Proxy Auto Config 24 Oct 2018 To leam more about Qualys WAS, its integration with Burp, and the additional security and compliance 
28 Jun 2018 solutions available in the Qualys Cloud Platform, please visit 

Python Scripter 28 Sep 2017 

Qualys WAS 06 Aug 2018 Pro extension 

Random IP Address Header 01 Jul 2014 


Reflected File Download C. 24 Jan 2017 
Reflected Parameters 10 Nov 2014 @ Qualys WAS subscription, including API 


Requirements: 


© Burp Suite Professional 1.7 or later 


Reissue Request Scripter 23 Dec 2016 
Replicator 15 Feb 2018 
Report To Elastic Search 10May2017 Pro extension ‘© Straightforward setup and usage 
Request Highlighter 23 Jul 2018 
Request Minimizer 25 Jun 2018 
Request Randomizer 24 Jan 2017 Selected Burp scanner finding(s) exported to Qualys WAS via context menu 
Request Timer 08 Nov 2017 
Response Clusterei 06 Feb 2017 
Retire js 29Jun2018 Pro extension Option to purge or close existing Burp issues in WAS 
Reverse Proxy Detector 13 Feb 2017 
Same Origin Method Execu. 26 Jan 2017 J 
SAML Editor 01 Jul 2014 Usage: 
SAML Encoder / Decoder 01 Jul 2014 
SAML Raider 04 Nov 2016 1. Add the extension to your instance of Burp Suite Professional by installing directly from the 
SAMLReQuest 06 Feb 2017 BApp Store" tab within Burp or by loading the jar file from the Extensions tab. 

Scan Check Builder 300ct2018 Pro extension 
Scan manual insertion point 24 May 2017 


Features: 


* Supports all Qualys shared platforms as well as private cloud platforms 


Upstream proxy server settings in Burp are honored automatically 


Written in Java 


2, Inthe “Qualys WAS" tab, select the appropriate Qualys platform for your subscription and enter 
your Qualys username & password. 


| Refresh list | | Manual install 


WAS Enhancements, YTD 


April 2018 June 2018 Sept 2018 : 
Swagger SST Browser engine upgrade 2018 : 2019 
Jenkins plugin Header injection XSS Power Mode : 
Qualys Browser Recorder WebLogic RCE Tag apps upon import 
Test Authentication RichFaces RCE ESI injection 
Exclude parameters "Spring Break" WebSocket detection 


PrimeFaces RCE 


Jan 2018 May 2018 July 2018 Oct 2018 
CMS vulns Added CSV v2 Burp extension Blueimp file upload 
Multi-scan alerts report Results for cancelled scans Telerik crypto flaw 
Update QID Add'l CMS vulns Improved scan status 
mappings to 2017 Scan settings snapshot 
OWASP Top 10 Retest multiple findings 
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Qualys WAS Roadmap 


WAS Roadmap 


2018 2019 SSL/TLS detections 


Dec 2018 

Blind XPATH injection 

Improved KB search 

Custom report footer 
Burp & Bugcrowd findings added to 

report 
Ignore finding time limit 

“Launch Now” for scheduled report 


Feb-Mar 2019 
TLS 1.3 support 


Out-of-band detections 
Security header tests 
Enhanced crawling 
CyberArk PIM integration 


Jan 2019 Q2-Q3 2019 

Custom scan Elasticsearch 
intensity New dashboard 
Jenkins plugin v2 Ul modernization 


Support OpenAP! v3 
Support Postman 
Collections 
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Web Application Firewall 


Review 


Qualys WAF 


Integration with WAS 
Architecture improvements 
Integration with Docker 
Security Improvements 
Roadmap - standalone 
Roadmap - Integrated Suite 


Dashboard Events Web Applications Security WAF Appliances. 

Dashboard - All Web Applications AlWebopisiors [Lat 30 
Nom 08 Oct 2018 - Wed 07 Nov 2018 jum œ A 
Activity Timeline 

pue MN SR 
Web Application Statistics 

EM San uae woo 


Event Summary Events Traffic Origins 


um S 
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What's New in Qualys WAF 


supported 
D | a t f O r m S Select Virtual Appliance Image 4 


Choose the virtualization platform you want to use to run your WAF appliance on. 


Platform Details 


© ig VMware Standard VMware virtualization platform 


O EN Hyper-V Microsoft Hyper-V 5.1 virtualization platform 
uU — 
C) E Amazon EC2 Amazon EC2-Classic, Amazon EC2-VPC 


Shared and Private 


O A Microsoft Azure Microsoft Azure platform 


Qualys Cloud Platforms Google Cloud platform 


Docker platform 


Cancel Previous | 
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WAF Virtual Appliance 


Easy and usable Architecture 


Virtual Reverse-Proxy 


Cluster-able within hybrid topologies Ps ^ AS 
Load-Balancing capabilities 


So ls cloner suite careoores 
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WAF Improvements 


Virtual Appliance & Container (v1.5.5) 


XML/JSON content inspection 


Docker Host integration for backend automation & 
Better performance 


Scheduled upgrades doc ker 


Orchestration via Qualys API 
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Docker Single Host 


docker CLI! . =e) Access to docker services 
=== via unix sockets 


ë docker 


Controls : 
- containers (start | stop | delete | inspect) 


- networks '" 7*| Stores images 


- images (pull | push | delete) 


7 Contaiher | 


/ Container ^ | / Container ^ 
| 
#2 #2 


Continuous Security 


| 
| 
| 
| Qualys. 
| 
| 


| 

| 

| 

| 

| 

| 
| 
| Web App 
p n B / 


SAM SE A 


| | 
| | 
| | 
l | 
| | 
| | 
"Web app | 
| 

\ 
Docker network 


Physical network 


| | © Qualys. 


Docker Multiple Hosts | (cse 
L£ 


«4 
a 


Containeæ Container 
Dod 2 ts |, € n 


ae Jf, a 


Container 
#1 


| 
| 
| 
| 
| 
| 
| 


© 


Web App Web App 
C 


Physical network | | Physical network | | Physical network 


Security Improvements 


Custom Rules: write and manage your own filters 
XML/JSON inspection 
Virtual Patches and Event Exceptions 
Latency control 
Rewriting capabilities (headers) 


Qualys Rulesets and Templates 
DAG based inspection, programmable logic 
Drupal 8.0.x, Joomla 3.4.x, Magento 2.5-2.6, Wordpress 4.2.x-4.3.x 
JBoss 4 x-7 x, OWA 2010-2017 Sharepoint 2010-2017, Tonmicat 3.0.x 
Qualys Generics for unknown apps 
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Qualys WAF Roadmap 


WAF Roadmap - Standalone 


2018 : 2019 Mar 2019 Q3 2019 
: Templates Appliance empowered 
API Generics, Microsoft with 
ADFS, JD Edwards Network Clustering 
Dec 2018 : Jan 2019 Q2 2019 Q4 2019 
New Custom Rules keys i Appliance Major Release Customizable Dashboard Traffic Management 
+Community Library : (v1.6.0) Alert Reports ddos 
Revamped Security : TE SVS HATRA Improved RBAC ip-reputation 
Events : — Improved network Bots 
“management capabilities Scraping 


Enriched CLI and local 
events logs 
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WAF Roadmap - Integrated Suite 


2018 : 2019 
; Mar 2019 Q3 2019 
WAS reports with Virtual Patch supports 
ScanTrust details Burp and Bug Bounties 
Dec 2018 : Jan 2019 Q2 2019 Q4 2019 
Al - Feed Application : UD - WAF widgets and App's Sitemap v2 CV - fetch app's 
inventory with backend + queries (WAS & WAF) grade and patch 
information : Sol 
: ScanTrust enabled on implementation 
VM 


© Qualys. 


Web Applications & APIs- 
Intégration et capitalisation des données 
issues d'un programme de Bug Bounty 


Romain Lecoeuvre 
YES WE H/ CK Co-Fondateur & CTO 


Un peu d'histoire... 


Le principe du Bug Bounty 
remonte à 1985, développé à 
partir de 1995 par Netscape pour 
permettre à une organisation 
d'améliorer la sécurité de son 
système d'information en 
s'appuyant sur une communauté 
de chercheurs en vulnérabilités 
(Crowdsecurity). 


e jou a ViIKevwuoen © VRTX 
bytes of ROM, VRTX wil perform for — pockoge, including timings for system Operating Systems in Silicon. 


"Coli ce wit Vor datas, But, considering our Ke in cars, you might want to accept our afler of 51,000 casn instead. © 1983 Hunter & Roady, rc. 


YesWeHack en chiffres 


6000+ chercheurs inscrits 

120+ nationalités 

65% d'Européens 

5500+ rapports de vulnérabilités 


ys. 


Structure d’un rapport 


/ XSS réfléchi sur http://example.com 


© PARTNER PRIVATE PROGRAM1 @ 2 COMMENTS 


SUBMITTED BY HUNTER 1 ON 2018-09-24 


REPORT DETAILS 


BUG TYPE 


SCOPE 


ENDPOINT 


CRITICITY 


VULNERABLE PART 


PART NAME 


PAYLOAD 


APPLICATION FINGERPRINT 


IP USED 


Cross-site Scripting (XSS) - Reflected (CWE-79) 
/test 

http://example.com/?id= 

M 

get-parameter 

id 

"><svg/onload=alert(document.domain)> 
php 

12012.32.45 


UPDATE 


1 


VECTOR STRING 
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U 
/CL/EL/A:N 


GIVE 1 BONUS POINT 


Quality points 


2 


2:0: 
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Intégration ? 


Récupération des 
nouveaux rapports de 
vulnérabilités via API 


Intégration des rapports 
qualifies dans un Bug 
Tracker (Bitbucket, git, 


Jira, etc.) 


INTEGRATION GITLAB 


CLIENT ID: 


CLIENT SECRET: 


DOMAIN: 


REDIRECT URI: 


3 5h075a1bd808s4808gk448gckskosws4k00800kwks0s404soo 
3qsxrak90160kc8k48kcc8400g400scs4k4000008cwOksw40s 
https://internal.dev 


https://internal.dev/get_token 
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Intégration ? 


Agent de contrôle intégré dans la Cl 


Contróle entre les rapports de Y 


vulnérabilités valides et les tests 
fonctionnels < securite > CI/CD 


Non-regression 
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cm zz] 


m m m 
( "s | t a | ] S a t ] O n ? Postgres timeout when counting number of CI 
= builds for usage ping gitlab-org/gitlab-ce#45938 


oo eno Gap en 
"d API 2 


Bug Bounty 


Searching in a group does not search 
subgroups gitlab-org/gitlab-ce#47395 


GD ED € €» ET 


Can't attach image to epic description and 
comment gitlab-org/gitlab-ee#7009 

«c» QD) due-22n6 
co 


Stack trace of error from uploading image for 
object storage spews into screen 
gitlab-org/gitlab-ee#6699 


TESTING CED GD ED ED 


Better error handling for Elastic 
gitlab-org/gitlab-elasticsearch-indexer#19 


EE CD €» 


Developers Agent Test 
zm CI/CD 
| = i | => Production 
Commit — tr Deploy 
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Capitalisation ? 


Agent intégré dans les applications métiers 


° IA 

« Scanner 
« SIEM 
Oe 


e WAF 


Capitalisation ? 


cm | 


Bug Bounty 


LA Scanner SIEM SOC WAF 
© Qualys. 


Capitalisation ? 


© Qualys. Enterprise 


Web Application Scanning v E Help w Remi Le Mer w Log out 


Dashboard Web Applications Scans Detections Reports Configuration KnowledgeBase 


‘= Detection Management Detection List Burp Bugcrowd YesWeH4ck 


Search Results ^ x | |1-20f2 


c Status QID Name Group Last Detected Age Patch Severity 


a Filter Results Clear All Active 150046 @ Reflected Cross-Site Scripting (XSS) in HTTP Header XSS 185 13 NENNEN 
Finding Type http://demo.qualys.com/vulnerabilities/upload/ 
Active 150046 @ Reflected Cross-Site Scripting (XSS) in HTTP Header XSS 12 J 185 13 NENNEN 
eg http://demo.qualys.com/vulnerabilities/fi/?page-file3.php 
© Bugcrowd 
Tit YesWeHack 


Confirmed Vulnerability Level 
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